CON3659 Kosowski CON3659 JavaOne2015 EE8 JSR375 Security API

Keep
Learning with Oracle University
Classroom Training
Cloud
Learning SubscripFon
Technology
Live Virtual Class
ApplicaFons
Training On Demand
Industries
educa7on.oracle.com
Copyright 2015, Oracle and/or its aliates. All rights reserved. |
Session Surveys
Help us help you!!
Oracle would like to invite you to take a moment to give us your session
feedback. Your feedback will help us to improve your conference.
Please be sure to add your feedback for your aQended sessions by using
the Mobile Survey or in Schedule Builder.

Finally, EE Security API

JSR 375
Alex Kosowski
JSR 375 SpecicaFon Lead
Oracle, WebLogic Server Security
October 27, 2015
Safe Harbor Statement

The following is intended to outline our general product direcFon. It is intended for
informaFon purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or funcFonality, and should not be relied upon
in making purchasing decisions. The development, release, and Fming of any features or
funcFonality described for Oracles products remains at the sole discreFon of Oracle.
Program Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
Program Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
Why a Java EE Security API JSR?

EE 8 survey results
4500 total responses
PrioriFes Pie Chart
Whats wrong with Java EE Security?

The community says
"The ul(mate goal is to have basic security working without

the need of any kind of vendor specic congura(on,
deployment descriptors, or whatever.
Arjan Tijms

[The EE security] model is problema(c in cloud/PaaS
environments where developers do not necessarily have easy
access to non-standard vendor run(me features and a self-
contained applica(on is much easier to manage.
Reza Rahman
10
Whats wrong with Java EE Security?

Java EE Security viewed as not portable, abstract/confusing, anFquated
Doesnt t cloud app developer paradigm: requires app server
conguraFon
Losing value to non-standard 3rd Party Frameworksless likely to move
back to Java EE
11
What to do?
Plug the portability holes
Modernize
Contexts and Dependency InjecFon (CDI)
Intercept at Access Enforcement Points: POJO methods
Expression Language (EL)

Enable Access Enforcement Points with complex rules
Lambda Expressions
App Developer Friendly

Common security conguraFons not requiring server changes
AnnotaFon defaults not requiring XML
12
Program Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
13
JSR 375 History

August 2014: First proposed to Oracle Java EE Architects
December 2014: Approved by JCP
Expert Group nominaFons:
EE API veterans: many JSRs, many years struggling with Security API
3rd party security framework creators/developers
EE plaporm security implementers
March 2015: Expert Group started discussions
14
JSR 375 Expert Group

Name
Represen7ng
Adam Bien
Individual
David Blevins
Tomitribe
Rudy De Busscher
Individual
Ivar Grimstad
Individual
Les Hazlewood
Stormpath, Inc.
Will Hopkins
Oracle
Werner Keil
Individual
15

Name
Represen7ng
MaQ Konda
Jemurai
Alex Kosowski
Oracle
Darran Lorhouse
RedHat
Jean-Louis Monteiro
Tomitribe
Ajay Reddy
IBM
Pedro Igor Silva
RedHat
Arjan Tijms
ZEEF
16

In rst month, expert group had an EXPLOSION of acFvity
Lot of Brainstorming!
237 messages on EG mailing list
81 commits in Github playgrounds for examples and proposals
24 JIRA issues
17
JSR 375 Roadmap
Early Drar
Review
Public
Review/RI
Proposed
Final Drar
Final Release/
RI/TCK
Q4 2015
Q1 2016
Q3 2016
H1 2017
18
Program Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
19
Ideas
To modernize, standardize, simplify
Terminology
API for AuthenFcaFon Mechanism
API for IdenFty Store
API for Password Aliasing
API for Role/Permission Assignment
API for Security Context
API for AuthorizaFon Interceptors
20
Ideas
Role/Permission
Assignment
IdenFty Store
AuthenFcaFon
Mechanism
Security Context
AuthorizaFon
Interceptors
Password Aliasing
21
Ideas
Terminology
22
Ideas - Terminology
EG discussions revealed inconsistency in security API terms
Dierent EE containers have dierent names for the same concepts
When something gets authenFcated, is that something a
A User? (e.g. HQpServletRequest.getUserPrincipal)
A Caller? (e.g. EJBContext.getCallerPrincipal)
What is a group?
A group of users?
A permission
Vs Role?
23
Ideas - Terminology
What is that something where idenFFes are stored?
security provider (WebLogic)
realm (Tomcat, some hints in Servlet spec)
(auth) repository
(auth) store
login module (JAAS)
idenFty manager (Undertow)
authenFcator (Resin, OmniSecurity, Seam Security)
authenFcaFon provider (Spring Security)
idenFty provider
24
Ideas
Terminology
25
Use Case
API for Authen7ca7on Mechanism

ApplicaFon manages its own users and groups

ApplicaFon needs to authenFcate users in order to assign Roles
ApplicaFon authenFcates based on applicaFon-domain models
ApplicaFon needs to use an authenFcaFon method not supported on the
server, like OpenID Connect
Developer wants to use portable EE AuthenFcaFon standard
26
Current SoluFons
API for Authen7ca7on Mechanism

Proprietary server support
3rd party security frameworks provide authenFcaFon

JASPIC: Java AuthenFcaFon Service Provider Interface for Containers
27
JASPIC
Java AuthenFcaFon Service Provider Interface for Containers
JSR 196, Maintenance Release 1.1, in 2013
Standardized, portable, thin, low-level authenFcaFon framework
Extensible from within an applicaFon
Integrates with the container to build an authenFcated Subject
Implement most authenFcaFon methods
28
JASPIC Server Auth Module

public interface ServerAuthModule {

public void initialize(MessagePolicy requestPolicy,
MessagePolicy responsePolicy, CallbackHandler handler,
Map options) throws AuthException;

public AuthStatus validateRequest(MessageInfo messageInfo,
Subject clientSubject, Subject serviceSubject);

public Class<?>[] getSupportedMessageTypes();

public AuthStatus secureResponse(MessageInfo messageInfo,
Subject serviceSubject);

public void cleanSubject(MessageInfo messageInfo, Subject subject);
}
29
JASPIC Per-ApplicaFon InstallaFon

ServletContextListener
AuthCongFactory
AuthCongProvider
ServerAuthCong
ServerAuthContext
ServerAuthModule
30
Ideas Simple ServerAuthModule InstallaFon

AuthCongFactory
AuthCongProvider
ServerAuthCong
ServerAuthContext
ServerAuthModule
31

@WebListener
public class SamRegistrationListener implements ServletContextListener {

@Override
public void contextInitialized(ServletContextEvent sce) {
Jaspic.registerServerAuthModule(new TokenAuthModule(),
sce.getServletContext());
}

@Override
public void contextDestroyed(ServletContextEvent sce) {
}
}
32

@Authenticator("org.acme.TokenAuthModule")
@WebServlet("/SimpleServlet")
@ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"}))
public class SimpleServlet extends HttpServlet {

@Override
protected void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.getWriter().print("my GET");
}
}
33
Ideas Prole Specic Helper Classes

public class BasicServerAuthModule implements ServerAuthModule {

public void initialize() throws AuthException { }

public Class<?>[] getSupportedMessageTypes() { }

public AuthStatus secureResponse(MessageInfo messageInfo,
Subject serviceSubject) throws AuthException { }

public void cleanSubject(MessageInfo messageInfo, Subject subject)
throws AuthException { }

public AuthStatus validateRequest(MessageInfo messageInfo,
Subject clientSubject, Subject serviceSubject) throws AuthException {
final HttpServletRequest request =
(HttpServletRequest) messageInfo.getRequestMessage();
}

34

public class BasicServerAuthModule extends HttpServerAuthModule {

public AuthStatus validateHttpRequest(HttpServletRequest request,
HttpServletResponse response, HttpMessageContext httpMessageContext)
throws AuthException {

}
}

35

public class BasicServerAuthModule extends HttpServerAuthModule {

public AuthStatus validateHttpRequest(HttpServletRequest request,
HttpServletResponse response, HttpMessageContext httpMessageContext)
throws AuthException {

final String header = request.getHeader("Authorization");
final String[] credentials = parseCredentials(header);
final String username = credentials[0];
final String password = credentials[1];
if (!"snoopy".equals(username) || !"woodst0ck".equals(password)) {
return FAILURE;
} // No callbacks required!!!
return httpMessageContext.notifyContainerAboutLogin(
"snoopy",
// the groups/roles of the authenticated user
Arrays.asList("RedBaron", "JoeCool", "MansBestFriend"));
}

36
Ideas Standardized AuthenFcators

OpenID Connect ServerAuthModule
@Authenticator("javax.security.authenticator.OpenIDConnect")
@WebServlet("/SimpleServlet")
@ServletSecurity(@HttpConstraint(rolesAllowed = {"manager"}))
public class SimpleServlet extends HttpServlet {

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.getWriter().print("my GET");
}
}
37
Ideas AuthenFcaFon Events

Throw standardized CDI events at important moments
PreAuthenFcate Event
PostAuthenFcate Event
PreLogout Event
PostLogout Event
Possible uses:
Tracking number of logged-in users
Tracking failed login aQempts per account
Side eects, like creaFng a new local user arer iniFal successful authenFcaFon via a
remote authenFcaFon provider
Loading applicaFon-specic user preferences
38
Ideas
Terminology
39
Use Case
API for Iden7ty Store

Need to access a repository of idenFFes, like users
Users may be stored in app-specied repository (e.g. LDAP)
Users are managed without access to server conguraFon

40
Survey Results
'
Should we simplify authorization by introducing an EL-enabled authorization

annotation?
'
Should we standardize on requirements for simple security providers and their

configuration?
'
'
Approximately'58%'thought'we'should'add'support'for'password'aliases,'including'the'
ability'to'provision'credentials'along'with'the'application.'
'
70%'thought'that'we'should'standardize'group`to`role'mapping.'
'
53%'thought'we'should'simplify'JASPIC'authentication.'
'
67%'thought'that'we'should'simplify'authorization'and'make'it'more'flexible'by'
introducing'EL`based'authorization'annotations,'introducing'a'capability'more'general'
than'use'of'@RolesAllowed'and'simpler'than'use'of'interceptors'to'do'programmatic'
authorization.'
'
65%'thought'we'should'standardize'on'requirements'for'simple'security'providers'and'
41
Current SoluFons
No Java EE support
Only proprietary server support
3rd party security frameworks provide user/group APIs

42
Ideas IdenFty Store
Caller
CredenFals
IdenFtyStore
DB
File
Caller Name,
Groups
LDAP
43
Ideas IdenFty Store InteracFon

CredenFal
1) validate
IdenFtyStore
2) returns
CredenFalValidaFonResult
+ getStatus():Status
+ getCallerName():String
+ getCallerGroups():List<String>

44
Ideas IdenFty Store

@Inject
IdentityStore store;

CallerNamePasswordCredentials creds;
creds = new CallerNamePasswordCredentials("scott","password".toCharArray())

CredentialValidationResult result = store.validate(creds);

if (VALID.equals(result.getStatus()) {
// successful validation
String callerName = result.getCallerName();
List<String> groups = result.getCallerGroups();

// TODO: Apply to container using JASPIC callback handler
} else {
// invalid credential
}

45
Ideas IdenFty Store CredenFals

CredenFal
+ clear():void
+ getCallerName():String
+ isCleared():boolean
+ isValid():boolean

extends
CallerNamePasswordCredenFal
+ getPassword():Password

TokenCredenFal
+ getToken():String

BasicAuthenFcaFonCredenFal
46
Ideas IdenFty Store Standard ImplementaFons

IdenFtyStore
+ validate(CredenFal):CredenFalValidaFonResult

Standard IdenFtyStore
implementaFons are annotated as
CDI AlternaFves.
implements
JsonFileIdenFtyStore
LdapIdenFtyStore
DatabaseIdenFtyStore
JaasIdenFtyStore
EmbeddedIdenFtyStore
47
Ideas IdenFty Store

@LdapIdentityStoreDefinition(
url="ldap://localhost:10389",
searchDn="uid=jsr375,dc=simple,dc=jsr375,dc=org"
searchCredential="secret"
)
public class SomeClass{}

@JsonIdentityStoreDefinition(
filePath="/idstore.json")

48
Ideas IdenFty Store

@EmbeddedIdentityStoreDefinition({
@Credentials(callerName = "reza", password = "secret1", groups = { "foo", "bar" }),
@Credentials(callerName = "alex", password = "secret2", groups = { "foo", "kaz" }),
@Credentials(callerName = "arjan", password = "secret3", groups = { "foo" }) })

@DataBaseIdentityStoreDefinition(
dataSourceLookup="java:/app/myDS",
callerQuery="select password from caller where name = ?",
groupsQuery="select group from caller_groups where caller_name = ?",
hashAlgorithm="SHA-256",
hashEncoding="base64"
)

49
Ideas IdenFty Store Standard ImplementaFons

JAAS
3) login
4) commit
7) logout

LoginModule
LoginContext
2) login
LoginModule
1) validate
JaasIdenFtyStore
6) logout
5) get caller, groups, roles from Subject
JaasSubjectPrincipalResolver
50
Ideas IdenFty Store OpFonal Interfaces

OpFonal Query Interfaces
IdenFtyStore
CallerStore
CallerRoleMap
GroupRoleMap
GroupStore
RoleStore
implements
IdenFtyStore ImplementaFon
51
Ideas IdenFty Store OpFonal Interfaces

@Inject
IdentityStore idStore;

List<String> callers = idStore.getCallers("smith");
List<String> groups = idStore.getGroups("*");
boolean inGroup = idStore.isCallerInGroup ("jsmith", "Manager");

52
Ideas
Terminology
53
Use Case
ApplicaFon uses passwords to access resources like LDAP and DB

Passwords stored in annotaFons, deployment descriptors
Best pracFces dictate that passwords are never stored in clear text
Need a portable way to protect stored passwords
54
Survey Results
names'of'loggers'used'by'the'application'server,'the'format'of'log'files,'and'the'access'to'
log'messages'by'applications.'
'
Of'the'small'fraction'of'participants'who'added'comments,'most'of'these'strongly'urged'
for'improvements'in'logging''either'by'the'revision'of'java.util.logging,'or'replacement'
of'its'use'by'either'slf4j,''slf4j'with'LogBack,'or'log4j.'
'
'
'
Security'
'
Most'of'the'suggested'improvements'in'the'security'area'received'strong'support.'
'
Should we add support for password aliases (including the ability to provision
credentials along with the application)?
'
Should we standardize group-to-role mapping?
Deferred from Java EE 7

55
Current SoluFons
No Java EE support
Proprietary server support, e.g. GlassFish
3rd party security framework support for embedded password encrypFon,
not aliasing
56
Ideas Password Aliasing

For annotaFons
@DataSourceDefinition(
name="java:app/jdbc/test",
user="root",
password="${ALIAS=password}",)
For deployment descriptors

<data-source>
<name>java:app/env/testDS</name>
<user>APP</user>
<password>${ALIAS=password}</password>

</data-source>
57

Resolved
when used
${ALIAS=token}
Cleared
when done
"mysecret"
58
Password Alias
Archive
59

For conguraFon: AnnotaFons, Deployment Descriptors
Secure credenFals archive for bundling the alias and actual password
values with applicaFons
Plaporm consumes the credenFals archive upon deployment
Standard tooling for CRUD operaFons on the credenFal archive, e.g.
keytool
60
Ideas
Terminology
61
Use Case

ApplicaFon needs to assign roles (i.e., authoriFes, permissions) to users
and groups, based on applicaFon-specic model
Users may be stored in app-specied repository (e.g. LDAP)
Users are managed without access to server conguraFon
62
'
'
Security'
Survey Results
'
Most'of'the'suggested'improvements'in'the'security'area'received'strong'support.'
'
Should we add support for password aliases (including the ability to provision
credentials along with the application)?
'
Should we standardize group-to-role mapping?
63
Current SoluFons
No Java EE support
Only proprietary server support
3rd party security frameworks provide role/authority/permission APIs
64
Ideas Standardized Role Mapping

Support in Deployment Descriptors, e.g. web.xml
<security-role-map>

<group>MANAGER</group>


<role-name>EDIT_ACCOUNTS</role-name>
</security-role-map>

<! One-to-one group to role mapping -->
<security-role-map groupToRoleMapping="false" />
65
Ideas Role Mapping AnnotaFon

@EmbeddedIdentityStoreDefinition({
@Credentials(callerName = "reza", password = "secret1", groups = { "foo", "bar" }),
@Credentials(callerName = "alex", password = "secret2", groups = { "foo", "kaz" }),
@Credentials(callerName = "arjan", password = "secret3", groups = { "foo" }) })
public class MyServlet {
}
66
Ideas Dynamic ApplicaFon-based Roles

2) Caller login
6) Return caller, groups
JASPIC
3) Validate creds
5) Return caller,
groups (i.e. roles)
1) App updates
caller roles
DB
4) Query
for caller
IdenFtyStore
Assuming 1:1 Group-Role Mapping

67
Ideas
Terminology
68
Use Case
ApplicaFon needs to access the security API

To get the authenFcated user
To check roles
To invoke runAs.
ApplicaFon needs the same API to access security context, regardless of
container
69
Current SoluFons
No Java EE support
3rd party security frameworks provide a security context
70
Current SoluFons
@Singleton
public class MyEjb {
@Resource
private SessionContext sessionContext;

public String sayHello() {
if (sessionContext.isCallerInRole("admin")) {
return "Hello World!";
}
throw new SecurityException("User is unauthorized.");
}
}
71
Current SoluFons
public class MyServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest request,
HttpServletResponse resp) throws ServletException, IOException {

if (request.isUserInRole("admin")) {
// do something
}
throw new ServletException("User is unauthorized.");
}
}
72
Current SoluFons
@RequestScoped
public class MyCdiBean {

// Oh snap! No SecurityContext class for CDI
}
73
Current SoluFons
public class MyJaxRsService {
@GET
@Produces("text/plain;charset=UTF-8")
@Path("/hello")
public String sayHello(@Context SecurityContext sc) {

if (sc.isUserInRole("admin")) {
}
}
}
74
Ideas Security Context

public interface SecurityContext {
String getUserPrincipal();
boolean isUserInRole(String role);
List<String> getAllUsersRoles();
boolean isAuthenticated();
boolean isUserInAnyRole(List<String> roles);
boolean isUserInAllRoles(List<String> roles);
void login(Object request, Object response);
void login(Map map);
void logout();
void runAs(String role);
boolean hasAccessToResource();
boolean hasAccessToBeanMethod();
}
75
Ideas Security Context

For all managed beans: CDI, Servlet, EJB, JAX-RS, etc
public class MyFutureCdiBean {
@Inject
private SecurityContext securityContext;
public String sayHello() {
if (securityContext.isUserInRole("admin")) {
}
}
}
76
Ideas
Terminology
77
Use Case
API for Authoriza7on Interceptors
ApplicaFon needs to restrict specic methods to authorized users

ApplicaFon-model rules are used to make access decisions
Role is insucient
78
Survey Results
'
Only'a'small'fraction'of'respondents'answered'the'open`ended'"If'so,'which?"'part'of'
this'last'question.''Thymeleaf,'Freemarker,'and'Velocity'were'the'most'frequently'
mentioned'here.'
'
'
'
'
CDI'

'
The'next'four'questions'focused'on'continued'CDI'alignment.''This'was'one'of'the'focus'
areas'of'Java'EE'7.'
'
Should we consider adding Security Interceptors in Java EE 8?

Should we simplify JASPIC?
'
Should we simplify authorization by introducing an EL-enabled authorization

annotation?
'
Should we standardize on requirements for simple security providers and their

configuration?
79
Current SoluFons
EE authorizaFon has no rule based authorizaFon, only role based

3rd party security frameworks provide rule, role and permission based APIs
80
Ideas EL AuthorizaFon Rules

Expression Language rule would have access to managed beans for
SecurityContext and InvocaFonContext

@EvaluateSecured("security.hasRoles('MANAGER') && schedule.nowIsOfficeHrs")
void transferFunds() {..};
81
Ideas EL AuthorizaFon Rules

EL AuthorizaFon rules centrally managed in a repository
@LdapAuthorizationRules (
name="java:app/accountAuthRules",
ldapUrl="ldap://blah",
ldapUser="ElDap",
ldapPassword=mysecret)
public class MyBean {
@EvaluateSecured(ruleSourceName="java:app/accountAuthRules", rule="transferFunds")

}
82
Ideas AccessDecisionVoter
A user-dened class for making access decisions
@Secured(AccountAccessDecisionVoter.class)
83
Ideas AccessDecisionVoter
public class AccountAccessDecisionVoter implements AccessDecisionVoter {

@Override
public SecurityViolation checkPermission(AccessDecisionVoterContext ctx) {

// Check for violations
Method method = ctx.<InvocationContext>getSource().getMethod();

return new SecurityViolation("Sorry, not allowed");
}
}
84
Program Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
85
Get Involved
Contribute to the JSR!
Project Page: The starFng point to all resources

hQps://java.net/projects/javaee-security-spec
Users List: Subscribe and contribute
users@javaee-security-spec.java.net
Github Playground: Fork and Play!
hQps://github.com/javaee-security-spec/javaee-security-proposals
86
Get Involved
ARend related sessions!
How Would You Improve the Java EE Security API? [BOF3666]

Tonight at 8 PM | HiltonPlaza Room A
Hosted by Ivar Grimstad and Alex Kosowski
The Java EE 8 Opportunity [CON6086]

Presented by David Blevins, Tomitribe
Wednesday, Oct 28, 4:30 PM | Parc 55Cyril Magnin II/III
87
Program Agenda
1
MoFvaFons
A New JSR
Ideas
Get Involved
Q & A
88
Q & A
JSR 375 EE Security API
89
Safe Harbor Statement

The preceding is intended to outline our general product direcFon. It is intended for
informaFon purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or funcFonality, and should not be relied upon
in making purchasing decisions. The development, release, and Fming of any features or
funcFonality described for Oracles products remains at the sole discreFon of Oracle.
90
91

CON3659 Kosowski CON3659 JavaOne2015 EE8 JSR375 Security API

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CON3659 Kosowski CON3659 JavaOne2015 EE8 JSR375 Security API

Hochgeladen von

Copyright:

Verfügbare Formate

Keep

Learning with Oracle University

Live Virtual Class

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Finally, EE Security API

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Safe Harbor Statement

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Why a Java EE Security API JSR?

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Whats wrong with Java EE Security?

"The ul(mate goal is to have basic security working without

Whats wrong with Java EE Security?

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Expression Language (EL)

App Developer Friendly

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

JSR 375 History

March 2015: Expert Group started discussions

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

JSR 375 Expert Group

JSR 375 Expert Group

Pedro Igor Silva

JSR 375 Expert Group

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

JSR 375 Roadmap

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

ApplicaFon manages its own users and groups

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Proprietary server support

3rd party security frameworks provide authenFcaFon

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

JASPIC Server Auth Module

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

JASPIC Per-ApplicaFon InstallaFon

Ideas Simple ServerAuthModule InstallaFon

Ideas Simple ServerAuthModule InstallaFon

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Ideas Simple ServerAuthModule InstallaFon

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Ideas Prole Specic Helper Classes

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Ideas Prole Specic Helper Classes

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Ideas Prole Specic Helper Classes

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Ideas Standardized AuthenFcators

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Ideas AuthenFcaFon Events

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

ApplicaFon manages its own users and groups

Copyright 2015, Oracle and/or its aliates. All rights reserved. |

Should we simplify authorization by introducing an EL-enabled authorization

API for Iden7ty Store

Should we standardize on requirements for simple security providers and their

Copyright 2015, Oracle and/or its aliates. All rights reserved. |